* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
@ 2011-02-14 20:43 Dominick Grift
2011-02-16 17:43 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2011-02-14 20:43 UTC (permalink / raw)
To: refpolicy
I guess read_policy is a permissive required together with read_file_perms for /selinux/policy. What audit_access actually does i do not know. Also i re-ordered execmod and open because currently it was not complete.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 0ef9b12... 1966443... M policy/flask/access_vectors
policy/flask/access_vectors | 18 ++++--------------
1 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 0ef9b12..1966443 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -27,6 +27,9 @@ common file
swapon
quotaon
mounton
+ audit_access
+ open
+ execmod
}
@@ -152,7 +155,6 @@ inherits file
reparent
search
rmdir
- open
}
class file
@@ -160,8 +162,6 @@ inherits file
{
execute_no_trans
entrypoint
- execmod
- open
}
class lnk_file
@@ -172,27 +172,16 @@ inherits file
{
execute_no_trans
entrypoint
- execmod
- open
}
class blk_file
inherits file
-{
- open
-}
class sock_file
inherits file
-{
- open
-}
class fifo_file
inherits file
-{
- open
-}
class fd
{
@@ -363,6 +352,7 @@ class security
setbool
setsecparam
setcheckreqprot
+ read_policy
}
--
1.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110214/4436a879/attachment.bin
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
2011-02-14 20:43 [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy Dominick Grift
@ 2011-02-16 17:43 ` Stephen Smalley
2011-02-16 17:49 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2011-02-16 17:43 UTC (permalink / raw)
To: refpolicy
On Mon, 2011-02-14 at 21:43 +0100, Dominick Grift wrote:
> I guess read_policy is a permissive required together with read_file_perms for /selinux/policy. What audit_access actually does i do not know. Also i re-ordered execmod and open because currently it was not complete.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 0ef9b12... 1966443... M policy/flask/access_vectors
> policy/flask/access_vectors | 18 ++++--------------
> 1 files changed, 4 insertions(+), 14 deletions(-)
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 0ef9b12..1966443 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -27,6 +27,9 @@ common file
> swapon
> quotaon
> mounton
> + audit_access
> + open
> + execmod
> }
You can't insert permissions into the common definition without
perturbing the permission values for subsequent permissions in the
per-class definitions. That isn't a problem for recent kernels with
dynamic class/permission mapping support, but it will break
compatibility for older kernels. What you can do instead is to add new
permissions, like audit_access, to the end of each per-file class, and
then kernels with the dynamic class/perm mapping support will
transparently map the values.
>
>
> @@ -152,7 +155,6 @@ inherits file
> reparent
> search
> rmdir
> - open
> }
Likewise you can't move or remove permissions from kernel classes
without breaking old kernels.
>
> class file
> @@ -160,8 +162,6 @@ inherits file
> {
> execute_no_trans
> entrypoint
> - execmod
> - open
> }
>
> class lnk_file
> @@ -172,27 +172,16 @@ inherits file
> {
> execute_no_trans
> entrypoint
> - execmod
> - open
> }
>
> class blk_file
> inherits file
> -{
> - open
> -}
>
> class sock_file
> inherits file
> -{
> - open
> -}
>
> class fifo_file
> inherits file
> -{
> - open
> -}
>
> class fd
> {
> @@ -363,6 +352,7 @@ class security
> setbool
> setsecparam
> setcheckreqprot
> + read_policy
> }
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
2011-02-16 17:43 ` Stephen Smalley
@ 2011-02-16 17:49 ` Dominick Grift
2011-02-16 17:50 ` Eric Paris
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2011-02-16 17:49 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/16/2011 06:43 PM, Stephen Smalley wrote:
>
> You can't insert permissions into the common definition without
> perturbing the permission values for subsequent permissions in the
> per-class definitions. That isn't a problem for recent kernels with
> dynamic class/permission mapping support, but it will break
> compatibility for older kernels. What you can do instead is to add new
> permissions, like audit_access, to the end of each per-file class, and
> then kernels with the dynamic class/perm mapping support will
> transparently map the values.
>
Thanks for the clarification, was wondering already about why it was
added the way it was. Issue with execmod, open permission in refpolicy
is that its not added to all classes that support it currently.
I guess i will submit a retry.
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1cDjoACgkQMlxVo39jgT/AtwCcCmU8Fq7rVHCpYzwvYItUs/Il
w6wAn1orGBMblcXOHCGXLsnUBESU9x8t
=pJYW
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
2011-02-16 17:49 ` Dominick Grift
@ 2011-02-16 17:50 ` Eric Paris
0 siblings, 0 replies; 4+ messages in thread
From: Eric Paris @ 2011-02-16 17:50 UTC (permalink / raw)
To: refpolicy
On Wed, Feb 16, 2011 at 12:49 PM, Dominick Grift <domg472@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/16/2011 06:43 PM, Stephen Smalley wrote:
>
>>
>> You can't insert permissions into the common definition without
>> perturbing the permission values for subsequent permissions in the
>> per-class definitions. ?That isn't a problem for recent kernels with
>> dynamic class/permission mapping support, but it will break
>> compatibility for older kernels. ?What you can do instead is to add new
>> permissions, like audit_access, to the end of each per-file class, and
>> then kernels with the dynamic class/perm mapping support will
>> transparently map the values.
>>
>
> Thanks for the clarification, was wondering already about why it was
> added the way it was. Issue with execmod, open permission in refpolicy
> is that its not added to all classes that support it currently.
>
> I guess i will submit a retry.
I know dan has a patch in rawhide that does it right....
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-02-16 17:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-14 20:43 [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy Dominick Grift
2011-02-16 17:43 ` Stephen Smalley
2011-02-16 17:49 ` Dominick Grift
2011-02-16 17:50 ` Eric Paris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.